Cloud survey and form building startup Typeform S.A. has been compromised as an unknown attacker stole a backup database that included data from across multiple companies that use the service.

Details of the compromise are sketchy. Typeform said that on June 27, “our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion.”

“Compromised” is used contextually here because it’s not known whether Typeform was hacked or this was a case of the company leaving the data exposed on a cloud service, a common occurrence these days.

Following the disclosure, a number of companies and organizations that were affected by the compromise have come forward. The partial solace is that because the data related only to surveys and forms, it would appear that no credit card data or passwords were stolen.

Leading those already disclosing that their data had been stolen was U.K. department store Fortnum & Mason, which said in an email to customers that “approximately 23,000 of our data entries have been affected” with “email addresses, survey/vote responses and for a smaller number of contacts, postal address and social handles” exposed.

Another coming forward was the Tasmania Electoral Commission, the Australian state’s regulatory body for elections, saying in a statement that while some of the data stolen have previously been made public, the data also included name, address, email and date-of-birth information provided by electors who had applied for express voting at the last state election.

U.K. online bank Monzo Bank Ltd. was also affected, saying in a blog post that it believes data relating to 20,000 customers was stolen, but in the vast majority of cases it was simply an email address.

The list of companies known to be affected by the compromise is likely to grow in coming days since Apple Inc., Uber Technologies Inc., Airbnb Inc., Nike Inc., Trello, HubSpot Inc., Indiegogo Inc., Forbes and Freshdesk have all been mentioned as using Typeform services in the past.

Typeform should be credited with disclosing the compromise quickly, having done so within two days. At the same time, it also had no choice in the matter because the recently introduced European Union General Data Protection Regulations compels it to do so with 72 hours.

What remains lacking is how was the data compromised to begin with. Clearly, Typeform knows, but not disclosing the details provides further questions as to what actually occurred, such as whether it involved its own negligence.

Image: Typeform